I updated kX-Ray's Ring3 Inline API Hook scan method and since I haven't had the time to release a new build yet I created a Free stand alone program out of this very fast, smart and robust scan method. All processes are enumerated and all exported APIs in all loaded modules are scanned for code overwriting (inline) API hooks. I've yet to find a faster, more accurate Ring3 inline API hook scanner anywhere. Screen shots are below and DbgHook PE scanning settings allow for specific scan types such as module type inclusion/exclusions as well as just scanning typical win32 processes or including System processes too.

Even madExcept's .BPL module hooks (loaded by Delphi) are detected. Of course the purpose of such is a tool is simple, discovering existing hooks can help you diagnose your system, especially if you find instability between hooking packages or just want to know what process hooks what. I have not included any sort of "unhook" option in DbgHook, kX-Ray does this for any type of hook, kernel or user mode. I feel that in doing so I would be "working against" what Madshi has spent a lot of time developing so please do not ask me for such an option. If you absolutely need that option you can download my other program "kX-Ray".

I would appreciate any feedback if you find this utility useful. For best performance please run DbgHook.exe more than once, you'll find that after scanning one time, the second scan and any thereafter will be much faster. This week I plan to add support for IAT hook detection so I will post an updated build when I have the free time to do it. Email bindshell <at> gmail <dot> com for comments and/or bug reports.

Note:
Debug Hook is Ring3 Code ONLY so it requires no driver. Do not let this fool you however, it doesn't use standard methods for enumerating processes, opening them or reading memory, all of these APIs are emulated and are part of my Symbiote Project.

*Vista users* You must right-click DbgHook.exe and choose "Run as Administrator" so that Debug Hook has sufficient access rights.

My private copy also has IAT hook detection but I'm actually improving that (speed wise) so it didn't make this release, EAT is what a serious IAT patcher would also hook too which is detected in this build. I would appreciate any feedback.

I tried HookShark once but it seemed to miss some hooks, depending on method used and even when hooks were detected in a few instances the actual hook address was wrong but it is a decent tool from what I remember, just needs a speed increase and auto-scan option instead of selecting a process manually. PErvert is just a sub-component extension to it's real parent which is kX-Ray, my anti-rootkit tool. You can read about it here http://forum.madshi.net/viewtopic.php?t=4575 if you haven't already. Post is 6 mos. old but I still plan to continue it's development soon. Another thing to note is, kX-Ray and PErvert can open just about any process, even if ZwOpenProcess is hooked in the kernel (option needs checked in Settings under "Additional"). 99% of other "super" tools from my tests can't do this or at least not in a stable manner which is a real shame. kX-Ray has had this ability since day 1 of development.